NFS interview question and answers

— ny_wk

NFS (Network File System) interview questions test whether you can configure, secure, mount, and troubleshoot Linux file sharing across a network. This guide turns the most-asked NFS interview questions and answers into clear, corrected explanations a Linux system administrator can defend in a real screening, with modern NFSv4 practice alongside the legacy commands you may still meet.

NFS lets a Linux host export a directory so remote clients mount it and use it as if it were local storage. It was created by Sun Microsystems in 1984 and remains the default shared-filesystem protocol on Linux. Interviewers focus on three things: the export configuration in /etc/exports, the squash and security options, and the daemons and ports that must be running. Get those right and most NFS questions become easy.

NFS fundamentals: the questions every interview opens with

What is NFS and who developed it?

NFS (Network File System) is a distributed file system protocol that allows a client to access files over a network as though they were on local disk. It was developed by Sun Microsystems in 1984 and is now an open standard maintained through IETF RFCs. It lets administrators consolidate storage on central servers and share it to many clients, simplifying backups and capacity planning.

Which NFS versions exist, and which should you use today?

The protocol versions are NFSv2 (RFC 1094, legacy), NFSv3 (RFC 1813), and NFSv4 (RFC 7530 and later, including NFSv4.1 and NFSv4.2). NFSv2 is effectively dead and limited to 32-bit file offsets. For any new deployment use NFSv4.2: it runs over a single TCP port, supports strong Kerberos security, stateful locking, ACLs, and server-side copy. A strong candidate names NFSv4 as the modern default and treats v2/v3 as legacy.

What is the difference between NFSv3 and NFSv4?

Note: the old claim that the only difference is an "8KB vs 32KB transfer rate" is wrong. NFSv3 raised the maximum read/write size and added 64-bit file sizes and asynchronous writes, but the practical NFSv4 advantages are the single port, statefulness, and Kerberos integration.

Can NFS grant access by username and password?

Not with the default AUTH_SYS security flavor. Classic NFS trusts the client-supplied UID/GID and restricts access by client IP or hostname in /etc/exports, which is why squash options exist. For real user authentication you must use NFSv4 with Kerberos (sec=krb5). So the accurate answer is: by default access is controlled per client IP/host, but Kerberos adds genuine per-user authentication.

Configuring exports: core NFS interview questions and answers

What is the NFS server configuration file?

The main file is /etc/exports. Each line lists a directory, the clients allowed to mount it, and per-client options in parentheses, for example:

1. /data 192.168.1.51(rw,sync,no_subtree_check)
2. /pub *.example.com(ro,sync,all_squash)

Additional snippets can live in /etc/exports.d/*.exports. There must be no space between the client and its opening parenthesis: 192.168.1.51(rw) means read-write for that host, while 192.168.1.51 (rw) means read-only for that host and read-write for everyone else.

Explain root_squash, no_root_squash, and all_squash.

• root_squash (the default): requests from the client's root user (UID 0) are mapped to the anonymous user, so a remote root cannot act as root on the exported files. This is the safe default.
• no_root_squash: the remote root is treated as local root. Powerful but dangerous; use it only for trusted hosts such as diskless boot images, never for general shares.
• all_squash: every client user, not just root, is mapped to the anonymous user (anonuid/anongid). Ideal for public, read-only directories where identity does not matter.

What do sync, async, rw, and ro do?

• rw / ro: export read-write or read-only.
• sync: the server only confirms a write after it is committed to stable storage. This is the safe default and prevents data loss on a server crash.
• async: the server replies before data is flushed, which is faster but risks corruption if the server dies. Mention the trade-off, do not recommend it blindly.
• no_subtree_check: disables subtree checking, the recommended default in modern NFS because it is faster and more reliable.

Explain the exportfs command and its key options.

exportfs maintains the kernel's table of exported file systems. Memorize these:

Can I change export permissions without remounting clients?

Yes. Edit /etc/exports and run exportfs -r (or exportfs -ra). The new export options take effect immediately for subsequent requests; clients do not need to unmount and remount.

Mounting and client-side NFS interview questions

How do you add an NFS share to /etc/fstab?

For the share 192.168.1.51:/data mounted at /mnt/data, add a single line:

1. 192.168.1.51:/data /mnt/data nfs rw,_netdev,hard,nfsvers=4.2 0 0

The _netdev flag tells systemd to wait for the network before mounting, avoiding boot hangs. Then run mount -a to mount everything in fstab, or mount /mnt/data for just that entry. For on-demand mounts, prefer autofs over hard fstab entries.

Explain soft mounting versus hard mounting.

• Hard mount (default and recommended): if the server is unreachable, the client retries indefinitely until the server returns. The process blocks but no data is lost. Combine with intr on old kernels, or rely on signal handling on modern ones.
• Soft mount: after retrans retries the client gives up and returns an I/O error to the application. It avoids hung processes but can cause silent data corruption on writes, so reserve it for read-only or non-critical mounts.

How do you list clients connected to an NFS server?

Use showmount -a to list client:directory pairs, and showmount -e to list what the server exports. Note that showmount relies on the v3 mount protocol; on a pure NFSv4 server it may show nothing, so also check /proc/fs/nfsd/clients/ or nfsstat.

Daemons, ports, and the rpcbind question

What is portmap / rpcbind and which port does it use?

NFSv2/v3 use Sun RPC, and the portmapper, now called rpcbind, maps RPC program numbers to the dynamic ports their daemons listen on. It listens on port 111. A client first contacts rpcbind to discover where mountd and lockd are running. NFSv4 does not need rpcbind because everything runs over port 2049.

Which ports and daemons does NFS require?

For NFSv4 you only need to open port 2049 in the firewall, which is a common follow-up question.

Does rpc.mountd support TCP wrappers?

On older systems (through RHEL 6) rpc.mountd was linked against libwrap, so you could allow or deny clients in /etc/hosts.allow and /etc/hosts.deny. Modern distributions have dropped tcp_wrappers; today you control access with firewalld/nftables and the export client list instead. Mention the legacy behavior but flag that it is deprecated.

Monitoring and troubleshooting NFS interview questions and answers

What does nfsstat do?

nfsstat prints client and server NFS statistics. Useful forms:

• nfsstat -s shows server-side stats; nfsstat -c shows client-side.
• nfsstat -o all shows all categories; add version filters like -3 or -4.
• nfsstat -m on a client shows mounted NFS shares and their negotiated options.

An NFS mount fails. How do you troubleshoot it step by step?

1. Confirm the server exports the path: showmount -e <server> or check /etc/exports and run exportfs -v.
2. Verify the services are up: systemctl status nfs-server rpcbind on the server.
3. Check RPC registration: rpcinfo -p <server>. A "Program not registered" error means a daemon or rpcbind is down.
4. Test connectivity and firewall: ping, then confirm port 2049 (and 111 for v3) is open with ss -tlnp or nmap.
5. Try a manual verbose mount: mount -v -t nfs <server>:/data /mnt and read the error.
6. Inspect logs: journalctl -u nfs-server and dmesg.

How do you start, enable, and restart NFS on modern Linux?

1. Install: dnf install nfs-utils (RHEL/Rocky) or apt install nfs-kernel-server (Debian/Ubuntu).
2. Enable at boot and start: systemctl enable --now nfs-server.
3. After editing exports: exportfs -ra (no full restart needed).

Security: the NFS questions that separate seniors from juniors

Because AUTH_SYS trusts the client, treat plain NFS as a trusted-network protocol. Strong answers mention these hardening steps:

• Keep root_squash on and restrict exports to specific hosts or subnets, never * for writable shares.
• Use NFSv4 with Kerberos: sec=krb5 for authentication, krb5i for integrity, krb5p for full encryption in transit.
• Limit the firewall to port 2049 and run NFSv4-only where possible to shrink the attack surface.
• Mount with nosuid and nodev on clients to block privilege-escalation tricks via shared files.

Common pitfalls candidates trip on

• Saying NFS authenticates by username and password by default. It does not, unless Kerberos is configured.
• Putting a space before the parenthesis in /etc/exports, which silently changes permissions.
• Forgetting exportfs -ra after editing exports and wondering why nothing changed.
• Recommending async or soft mounts for important data without naming the corruption risk.
• Assuming showmount works on NFSv4-only servers; it often returns nothing.
• Leaving no_root_squash on a general share, a serious security hole.

Quick verification checklist

Before you call an NFS setup done, confirm each item:

1. Server: exportfs -v lists the directory with the intended options.
2. Server: systemctl is-active nfs-server returns active.
3. Client: showmount -e <server> (v3) or a successful mount proves reachability.
4. Client: mount | grep nfs and nfsstat -m show the mount and negotiated version.
5. Functional test: write a file from the client and confirm it appears on the server with the expected ownership (squash mapping correct).

Key Takeaways

• NFS shares Linux directories over a network; /etc/exports plus exportfs -ra control what is exported and to whom.
• Use NFSv4.2 for new work: single port 2049, stateful, Kerberos-capable, and firewall-friendly compared with NFSv3.
• Squash options are central: keep root_squash on, use all_squash for public shares, and avoid no_root_squash except for trusted hosts.
• Prefer hard, sync mounts for important data; soft and async trade safety for speed and can corrupt data.
• Troubleshoot in order: exports, services, rpcinfo -p, firewall/port 2049, verbose mount, then logs.

Frequently Asked Questions

Which port does NFS use?

NFSv4 uses a single port, 2049/TCP, which is all you usually need to open in the firewall. NFSv3 additionally needs port 111 for rpcbind plus dynamic ports for mountd and lockd, which is one reason NFSv4 is preferred.

What is the difference between hard and soft NFS mounts?

A hard mount retries indefinitely if the server is unavailable, blocking the process but protecting data; it is the safe default. A soft mount returns an I/O error after a set number of retries, which avoids hung processes but can cause silent data loss on writes.

Is NFS secure for use over the internet?

Plain NFS with AUTH_SYS trusts client UIDs and is meant for trusted LANs, not the open internet. To use it safely across untrusted networks, configure NFSv4 with Kerberos (krb5p for encryption) or tunnel it over a VPN, and lock the firewall down to port 2049.

How do I reload NFS exports without restarting the service?

Edit /etc/exports, then run exportfs -ra to re-export everything. Changes apply immediately to new requests, and connected clients do not need to remount.

For more Linux system administration walkthroughs and interview prep, subscribe to YouTube @explorenystream.